GDPR Record of Processing Activities (ROPA)

Under Article 30, the General Data Protection Regulation (GDPR) requires certain organizations under its scope to maintain a Record of Processing Activities, or ROPA for short.

A ROPA is a comprehensive account of a business's data processing activities and other relevant information. This document not only helps demonstrate a commitment to upholding data protection best practices but can also offer valuable insights about an organization's data flows.

In the article below, we'll explain what the GDPR's ROPA obligation entails, including why it's important to maintain one, which businesses it applies to, what it requires, and practical steps for ensuring compliance.

Let's get into it.

What is a Record of Processing Activities (ROPA)?

A Record of Processing Activities (ROPA) is an overview/snapshot of all aspects of a business's operations that involves handling personal data. It's essentially a living document that provides an in-depth description of a business's data processing activities.

For clarity's sake, it's important to understand how the GDPR defines two key terms here: "personal data" and "processing activities."

First, personal data under the GDPR refers to any information "relating to an identified or identifiable natural person." Examples include names, physical/email addresses, phone numbers, ID numbers, financial details, IP addresses, web cookies, etc.

On the other hand, a processing activity refers to any "operation or set of operations" carried out on personal data. This includes but isn't limited to the collection, recording, storage, organization, alteration, disclosure, and destruction of personal data.

Typical examples of processing activities include:

• Collecting email addresses for a mailing list
• Keeping HR records for your employees
• Storing customer purchase history in a database

To get additional context, consider the examples of processing activities provided by the European Commission below:

Maintaining a ROPA entails keeping accurate and up-to-date records of these types of processing activities in a comprehensive document, kind of like an Information Asset Register (IAR).

However, unlike an asset register, a GDPR ROPA clarifies what personal data your organization holds about EU data subjects as well as where you store that data.

Why is a Record of Processing Activities (ROPA) Important?

A ROPA inherently reflects the principles of transparency and accountability, which are essential values for ensuring compliance with the GDPR and many other international privacy laws.

More specifically, maintaining a ROPA is a critical first step to observing key compliance requirements under most data privacy laws, such as:

• Privacy by Design and By Default
• Handling data privacy access request
• Data minimization
• Storage limitation

Aside from being a legal requirement, maintaining an up-to-date ROPA is a data protection best practice for a number of reasons.

A comprehensive ROPA can help you uncover data redundancies and potential data privacy risks. Once identified, you can then take steps to mitigate these threats and optimize your personal data flows at all levels within your organization.

Moreover, in the event of a data breach or other security incident, having a comprehensive ROPA can help you demonstrate that you were taking appropriate measures to protect personal data. In the long run, this could play a key role in limiting your liability regarding a breach or security incident.

Who Must Maintain a Record of Processing Activities Under the GDPR?

The GDPR requires both data controllers and processors that meet certain criteria to maintain an up-to-date ROPA.

Note: Data controllers are individuals or organizations that determine why and how to process personal data. In contrast, data processors are individuals or organizations who carry out data processing activities on behalf of a controller.

For more information, check out our article GDPR Data Controller vs. Data Processor.

According to the GDPR, controllers and processors with 250 employees or more must maintain and be able to present a ROPA to a supervisory authority upon request.

If your business doesn't employ up to 250 employees, you aren't out of the woods yet. You must still maintain a ROPA if you meet any of the following criteria:

• Your data processing activities are likely to result in a risk to data subjects' rights and freedoms
• You process data regularly
• You process special categories of personal data, such as data that reveals racial or ethnic origin, sexual orientation, political opinions, religious beliefs, trade union membership, genetics, biometrics, etc.
• You process personal data relating to criminal offenses and convictions

Given these thresholds, it's clear that the GDPR intends to impose record-keeping responsibilities on nearly every organization under its scope. With that said, let's go over the GDPR requirements for your ROPA.

Requirements of the GDPR Record of Processing Activities (ROPA)

Under Article 30, the GDPR sets out the specific requirements data controllers and processors must address in a valid ROPA. It's important to note that this doesn't stop you from including other pertinent information in your ROPA.

However, you shouldn't stuff your ROPA too full of information, especially with irrelevant details. It needs to be well-organized, clear, and understandable.

With that said, let's examine each requirement in turn.

ROPA Requirements for Data Controllers

For data controllers, a ROPA must contain the following information:

• The name and contact details of the data controller, the controller's representative, and the Data Protection Officer (DPO), if applicable
• The purpose of data processing
• The categories of the data subjects and types of personal data
• The categories of recipients in third countries or international companies who have already received a consumer's personal data or will receive it in the future
• Personal data transfers to a third country or an international company, including a description of appropriate safeguards used
• The estimated time limits for the erasure of different categories of personal data
• A general description of technical and organizational security measures (TOMs) employed to protect personal data

ROPA Requirements for Data Processors

On the other hand, data processors must maintain a ROPA that describes their processing activities carried out on behalf of a controller. This includes the following information:

• The name and contact details of the data processor, the controller(s) who hires the processor, and the DPO, if applicable
• The categories of data processing conducted on behalf of the controller(s)
• Data transfers to a third country or an international company, including a description of suitable safeguards employed
• A description of technical and organizational security measures (TOMs) used to protect data

Practical Steps for Compliance with the GDPR Record of Processing Activities (ROPA)

In light of the GDPR-prescribed requirements above, we've compiled a step-by-step guide to help you fulfill your ROPA responsibilities under the GDPR. Let's take a look.

Conduct a Comprehensive Personal Data Audit

Once you've confirmed that the GDPR's ROPA obligation applies to you, your first course of action should be to conduct a comprehensive audit to map personal data flows at all levels within your organization.

According to the UK Information Commissioner's Office (ICO), you must maintain a "formal, documented, comprehensive and accurate ROPA based on a data mapping exercise that is reviewed regularly."

After all, you can't maintain an accurate record of your data processing activities if you aren't aware of every category of personal data your business handles at each point in time.

Properly Organize Personal Data

The next step in your ROPA compliance journey should be properly organizing the personal data you hold in a well-structured and meaningful way. This mainly involves breaking down personal data into distinct categories and highlighting their purposes.

Document Your Data Processing Activities

At this point, you need to document your data processing activities in both written and electronic form. Remember to include every detail explicitly required by the GDPR in the previous section.

Notably, several data protection authorities, including the UK ICO and the French Data Protection Authority (CNIL), have provided sample templates you can use as a starting point to develop your ROPA. This is provided below:

• CNIL: Record of Processing Activities Template
• UK ICO: ROPA template for controllers
• UK ICO: ROPA template for processors

You should, however, personalize your ROPA to account for several key factors, such as your business's size and the scale of your data processing operations.

It's also important to note that you should delegate ROPA responsibility to someone qualified, either within or outside your organization. Typically, this task is handled by a Data Protection Officer (if you have one) or your EU or UK representative.

Provide Relevant Additional Information

It's a best practice to provide relevant additional information that makes your ROPA more value-driven and eases the burden of comprehension for supervisory authorities.

The UK ICO recommends including the following additional details in your ROPA or providing links to their documentation:

• Where you store personal data, and who has access to it
• A Privacy Policy that addresses details such as the GDPR lawful bases for the processing and the sources of the personal data
• Records of consent
• Controller-processor contracts
• Data Protection Impact Assessment (DPIA) reports
• Records of personal data breaches
• The processing of special categories of data or data concerning criminal convictions and offenses under the GDPR
• Data retention and deletion policy

Regularly Update Your ROPA

Finally, you should regularly review and update your ROPA to make sure it accurately reflects your business's current data processing practices. Most businesses typically revise their ROPA during their annual review.

Furthermore, you should update your ROPA and make necessary adjustments whenever you undertake new data processing activities or if your existing processing activities change.

Summary

A ROPA is a detailed description of an organization's data processing practices. It not only helps demonstrate compliance with the GDPR's record-keeping requirements but also gives businesses complete oversight over their data processing operations.

Under the GDPR, applicable businesses that meet the criteria below must maintain a ROPA:

• You have at least 250 employees
• Your data processing activities will likely threaten data subjects' rights and freedoms
• Your data processing activities are not occasional
• You process special categories of data or data relating to criminal convictions and offenses

If your business meets any of these thresholds, you must maintain a ROPA that contains the information specifically required by the GDPR. Note that the actual content of your ROPA will depend on your role in handling personal data (i.e., data controller vs. processor).

That said, some of the key information you'll need to provide includes relevant names and contact details, the categories of personal data you handle, your purposes for processing personal data, international data transfers, and the technical and organizational measures you employ to safeguard personal data.

We recommend taking the following practical steps when developing your business's ROPA:

• Conduct a thorough audit to map all personal data flows within your organization
• Properly organize personal data into distinct categories
• Document your data processing activities
• Include relevant additional information or links to their documentation
• Keep your ROPA up-to-date

In sum, maintaining an accurate and up-to-date ROPA can help prepare you for unforeseen privacy issues, as well as protect you from enforcement actions, GDPR fines, and reputational damage.